Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? >
ipsecctl shows the following during the negotiation, but the vpn client ends the connection. # ipsecctl -s all FLOWS: flow esp in from 10.107.208.20 to 10.107.208.1 peer 10.107.208.20 flow esp out from 10.107.208.1 to 10.107.208.20 peer 10.107.208.20 SADB: esp transport from 10.107.208.20 to 10.107.208.1 spi 0x546b7788 enc 3des-cbc auth hmac-md5 esp transport from 10.107.208.1 to 10.107.208.20 spi 0x85cdd5a3 enc 3des-cbc auth hmac-md5 > On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: >> Hoping someone can point me in the right direction to get isakmpd working. >> >> The scenario: >> - the router drops all traffic directed to it from the dmz net >> - the router drops all traffic destined for the lan from the dmz >> - the router drops all traffic destined for the dmz from the lan >> - vlan1 (dmz) has linux hosts >> - vlan2 (lan) has windows and linux hosts, for the purpose of this >> exercise, I am using a windows host >> >> The goals: >> - create a way by which hosts in the lan can connect to the dmz network >> using ipsec/isakmpd >> - starting off with simple auth, shared secret passphrase >> >> The problem: >> - I am unable to establish a SA between the router and the lan hosts >> isakmpd returns the following: >> 155359.461787 Default message_recv: cleartext phase 2 message >> 155359.462366 Default dropped message from 10.107.208.20 port 500 due to >> notification type INVALID_FLAGS >> >> Some background Info: >> >> My network is as follows: >> (trunking is next on my list, but for now, I have separate interfaces on >> the router for each vlan) >> >> | >> Internet (dynamic ip) >> |1.1.1.2 >> +------------------------+ >> | router/fw/isakmpd | >> +------------------------+ >> 10.180.16.1 | |10.107.208.1 >> dmz | | lan >> +--------+ +--------+ >> | | >> +-----------------------------+ >> | switch | >> | vlan1 | vlan2 | >> +-----------------------------+ >> | | >> | | >> +---------------+ +-------------------+ >> | www server | | workstation 1 + >> | 10.180.16.250 | | 10.107.208.20 + >> +---------------+ +-------------------+ >> >> - OpenBSD Router: >> - relavent ifconfig >> ** internet >> hme0: >> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr xxx >> groups: egress >> media: Ethernet 100baseTX full-duplex >> status: active >> inet6 xxx%hme0 prefixlen 64 scopeid 0x2 >> inet 1.1.1.2 netmask 0xffffe000 broadcast 1.1.1.255 >> ** lan >> hme1: >> flags=8363<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST> >> mtu 1500 >> lladdr 08:00:20:ca:7d:c5 >> media: Ethernet 100baseTX >> status: active >> inet 10.107.208.1 netmask 0xffffff00 broadcast 10.107.208.255 >> inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 >> ** dmz >> hme2: >> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr 08:00:20:ca:7d:c6 >> media: Ethernet autoselect (100baseTX full-duplex) >> status: active >> inet 10.180.16.1 netmask 0xffffff00 broadcast 10.180.16.255 >> inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 >> >> # cat isakmpd.policy >> KeyNote-Version: 2 >> Authorizer: "POLICY" >> Licensees: "passphrase:foobar" >> Conditions: app_domain == "IPsec policy" && >> esp_present == "yes" && >> esp_enc_alg == "3des" && >> esp_auth_alg == "hmac-md5" -> "true"; >> >> # isakmpd -d -4 -DA=10 >> 155358.773509 Default log_debug_cmd: log level changed from 0 to 10 for >> class 0 [priv] >> 155358.775093 Default log_debug_cmd: log level changed from 0 to 10 for >> class 1 [priv] >> 155358.775757 Default log_debug_cmd: log level changed from 0 to 10 for >> class 2 [priv] >> 155358.776153 Default log_debug_cmd: log level changed from 0 to 10 for >> class 3 [priv] >> 155358.776672 Default log_debug_cmd: log level changed from 0 to 10 for >> class 4 [priv] >> 155358.777056 Default log_debug_cmd: log level changed from 0 to 10 for >> class 5 [priv] >> 155358.777524 Default log_debug_cmd: log level changed from 0 to 10 for >> class 6 [priv] >> 155358.777914 Default log_debug_cmd: log level changed from 0 to 10 for >> class 7 [priv] >> 155358.778416 Default log_debug_cmd: log level changed from 0 to 10 for >> class 8 [priv] >> 155358.778794 Default log_debug_cmd: log level changed from 0 to 10 for >> class 9 [priv] >> 155358.779267 Default log_debug_cmd: log level changed from 0 to 10 for >> class 10 [priv] >> 155358.788915 Misc 10 monitor_init: privileges dropped for child process >> 155359.444597 Timr 10 timer_add_event: event >> connection_checker(0x4fe41420) added last, expiration in 0s >> 155359.451947 Timr 10 timer_handle_expirations: event >> connection_checker(0x4fe41420) >> 155359.452947 Timr 10 timer_add_event: event >> connection_checker(0x4fe41420) added last, expiration in 60s >> 155359.453857 Timr 10 timer_add_event: event >> exchange_free_aux(0x44908c00) added last, expiration in 120s >> 155359.454632 Exch 10 exchange_establish_p1: 0x44908c00 ISAKMP-peer-west >> Default-phase-1-configuration policy initiator phase 1 doi 1 exchange 2 >> step 0 >> 155359.455323 Exch 10 exchange_establish_p1: icookie 4d18594e523695f1 >> rcookie 0000000000000000 >> 155359.455748 Exch 10 exchange_establish_p1: msgid 00000000 >> 155359.457524 Timr 10 timer_add_event: event >> message_send_expire(0x4d2dab00) added before >> connection_checker(0x4fe41420), expiration in 7s >> 155359.459672 Timr 10 timer_add_event: event >> exchange_free_aux(0x44909000) added last, expiration in 120s >> 155359.460277 Exch 10 exchange_setup_p2: 0x44909000 <unnamed> <no >> policy> policy responder phase 2 doi 1 exchange 5 step 0 >> 155359.460737 Exch 10 exchange_setup_p2: icookie 4d18594e523695f1 >> rcookie a6af81ffd3a2d153 >> 155359.461263 Exch 10 exchange_setup_p2: msgid e5eb6990 sa_list >> 155359.461787 Default message_recv: cleartext phase 2 message >> 155359.462366 Default dropped message from 10.107.208.20 port 500 due to >> notification type INVALID_FLAGS >> 155359.462856 Timr 10 timer_add_event: event >> exchange_free_aux(0x44909200) added last, expiration in 120s >> 155359.463566 Exch 10 exchange_establish_p1: 0x44909200 <unnamed> <no >> policy> policy initiator phase 1 doi 1 exchange 5 step 0 >> 155359.464001 Exch 10 exchange_establish_p1: icookie e82be37d8c1ae997 >> rcookie 0000000000000000 >> 155359.464539 Exch 10 exchange_establish_p1: msgid 00000000 >> 155359.465751 Exch 10 exchange_finalize: 0x44909200 <unnamed> <no >> policy> policy initiator phase 1 doi 1 exchange 5 step 1 >> 155359.466300 Exch 10 exchange_finalize: icookie e82be37d8c1ae997 >> rcookie 0000000000000000 >> 155359.466708 Exch 10 exchange_finalize: msgid 00000000 >> 155359.467220 Timr 10 timer_remove_event: removing event >> exchange_free_aux(0x44909200) >> 155406.461707 Timr 10 timer_handle_expirations: event >> message_send_expire(0x4d2dab00) >> 155406.463417 Timr 10 timer_add_event: event >> message_send_expire(0x4d2dab00) added before >> connection_checker(0x4fe41420), expiration in 9s >> >> Thanks, >> Axton Grams >> > Axton Grams
